Ransomware may be frightening boards, but chief information security officers want to be viewed as guide dogs not guard dogs. Large organisations must use trusted third parties to extend their security teams and improve their threat-hunting capabilities
Alison Dyer, CISO, Urenco Group
Jonathan Hope, senior technology evangelist, Sophos
Christian Martorella, CISO, skyscanner
David Whitelegg, European security officer, Compass Group
What does the cyber threat landscape look like now, and how might this develop in the near future?
DW: A number-one concern for CISOs is ransomware. Cybercriminals are ever more diligent in preparing such attacks, using sophisticated methods and, in some cases, nation-state quality hacking tools. The paying of ransoms is also fuelling the threat, from SMEs to large global enterprises, everyone is in the crosshairs.
CM: Ransomware is not particularly new – organised crime gangs have used malware for more than a decade – but it has exploded recently. This surge is partly because of ransomware-as-a-service; even criminals who don’t know how to code can team up with those who do and divide the spoils. It’s also partly thanks to cryptocurrencies. Bad actors can stay anonymous by demanding crypto payments, which are quick, easy and difficult to trace. Regulation and government actions are tightening, though, for example, all cryptocurrency transactions have been banned in China. It will be interesting to see how ransomware attacks develop there.
AD: The European Union’s anti-money laundering and terrorism funding rules will likely drive an increase in ransomware for a couple of years until it comes into force. There are two business risks here, though. First is business resilience and continuity of your IT. The second is the increase in ransomware for operational technology (OT). When running production facilities which are part of critical national infrastructure – you don’t want to be hit by ransomware. Articulating the risk and getting the message heard in the boardroom is easier the bigger your risk. Someone once told me they had ‘risk envy’ because I have such a compelling case.
JH: According to Sophos’ recent State of Ransomware 2021 survey, ransomware is downward. In 2020, we saw 37% of global respondents hit by ransomware, and the year before, it was 51%. However, while the percentage went down, the recovery cost more than doubled. That’s because criminals are being more selective about who they attack and getting better at sizing up their victims; even working out where CEOs’ kids go to school and where they play golf so that they can trick them more convincingly than the usual phishing email. Thankfully, the industry is now better at working out potential reputational damage, which means the board can understand the risk rather than it being intangible.
What is state-of-the-art in threat hunting, and how feasible is it in large organisations?
JH: The festive season is usually a good time for cybercriminals to strike, as they know even the largest organisations will not have their IT departments at full strength. Today, it’s essential to keep on top of cybersecurity at all times. This need for round-the-clock protection is one reason we’ve seen many businesses opt for outsourced help, specifically a managed service that covers them 24 hours a day, 365 days a year. We had a customer call us on Christmas Day to be reassured someone was watching the business for them.
DW: Large enterprises can use economies of scale to centralise and focus their security efforts, such as using a security operations centre (SOC) to enable effective threat hunting across their entire IT estate. While the volume of monitoring data collected is staggering, artificial intelligence is increasingly used to provide real-time analysis, leading to the faster detection and containment of incidents. Trusted third-party partnerships are also important, but given a finite budget to spend on the cyber defence, a good understanding of the threat landscape is essential when selecting partners, to maximise all security controls effectiveness at the best value.
CM: Even at a large organisation, you might not always have the skills in-house to keep on top of threat hunting at all times. The main challenge for any organisation is having skilled individuals with a certain mindset, and right now there are not many in the market. Personally, a managed service for threat hunting is the way to go in the future. There also needs to be improved infrastructure because you need high performance to move and process data; if you have to manage that in-house, then costs could be prohibitive.
AD: When it comes to outsourcing SOC capabilities, particularly threat hunting, I think it’s vital that you go back to the first principles. Because you can outsource the services, but a breach will still cause reputational damage to your business, and as much as you’re outsourcing the services, you cannot outsource responsibility. It’s important that when you’re considering an outsourcing partner, you have to think of that team as an extension of your own team. Do they have the same values that you need for your company to protect it from a reputation damage perspective?
What is the best practice for cyberattack incident response planning and execution?
DW: The old Mike Tyson quotation, “everyone has a plan until they get punched in the mouth” comes to mind, while techies love playbooks, nothing focuses the mind more than dealing with a crisis scenario. Conducting desktop incident response exercises are an effective method to help businesses prepare for cyberattacks, but it’s crucial to involve all business functions – not just IT. A bonus outcome of such exercises is improving the business leadership understanding of the potential business impact of a major cyberattack
CM: I agree that for crisis management to work, everyone needs to be involved, including the public relations team, which must communicate externally. You need to know who does what, the chain of command, and the role for all the key stakeholders. There are so many things that under pressure could go wrong. That’s why you need to perform simulations and tabletop exercises to test your plans and ensure that everyone knows to do their part. And these exercises need to happen regularly, and the playbook should be updated all the time because change is happening quickly.
AD: Practice certainly makes perfect. You can’t plan for every scenario, though, because you don’t exactly know what the attack is going to be, where it will happen, how fast it’s going to go. But if you have done the proper preparation and are clear on the decision rights, roles, and responsibilities, then as a CISO, you are doing your job. Driving a culture of cybersecurity is easier when people see you as enablers. So we are aiming to be guide dogs, not guard dogs.
JH: You can look at your users in one of two ways: either consider them to be your worst enemies, because these are the people that click on the links and interact with the malware in the wrong way; or consider them your best friends – if you empower them they will be able to recognise what’s phishing and what’s ransomware and not interact with it in the wrong way, so they actually become an extension of your security team. Ultimately, the best organisations are the ones that have great internal communications.
To find out more, please visit sophos.com